Abstract: A portable encryption key installation system is disclosed that includes a portable keying device for installing a data communications encryption in an electronic terminal. The portable keying device securely reprograms the encryption key in the electronic terminal without having to remove the terminal from its shipping container or ship the electronic terminal off-site. Furthermore, the portable keying device securely reprograms the encryption key in the electronic terminal without having to dismantle the terminal, de-activate any anti-tampering features, or re-bond the terminal.

Abstract: An on-line diagnostics system and method enable equipment information stored in each piece of industrial equipment to be safely disclosed to maintenance personnel to the extent permitted by the user of the industrial equipment. The on-line diagnostics system comprises industrial equipment and a maintenance apparatus for the maintenance of the industrial equipment, which are connected via the Internet. Equipment information indicating the state of the industrial equipment is encrypted using a specific common key, and the encrypted equipment information is transmitted to the maintenance apparatus in response to a request therefrom. The fact that the common key has been transmitted from the industrial equipment to the maintenance apparatus is outputted. After receiving the encrypted equipment information and the common key that have been transmitted, the encrypted equipment information is decrypted using the common key, and the decrypted equipment information is outputted.

Abstract: A send component (20) breaks up an initial file to be transmitted into fragments. A symbol obtained from a fragmentation-transmission key (CFT) is linked to each fragment. A transmission path within a so-called first level intermediate relay network architecture (40, 41, 42), between the send component (20) and a receive component (30), is assigned to each of the fragments generated. Following reception, the receive component (30) reassembles the fragments on the basis of the relevant data of the fragmentation-transmission key (CFT) already obtained via a so-called second level relay (10).

Abstract: A method of authenticating a first computing device in communication over a network to a second computing device is disclosed. The first computing device is authenticated to the second computing device using a first authentication mechanism. The first authentication mechanism is based on Extensible Authentication Protocol (EAP) or IEEE 802.1x authentication. Short-term re-authentication data is generated and issued to the first computing device. Later, a request from the first computing device to re-authenticate to the second computing device is received. The first computing device is re-authenticated to the second computing device using a challenge-response mechanism in which the first computing device authenticates itself by presenting the short-term authentication credential to the second computing device. Accordingly, re-authentication proceeds more quickly and with fewer message exchanges.

Abstract: A card activated cash dispensing automated banking machine (12, 200, 302) is provided. The machine may be operative to install a terminal master key (TK) therein in response to at least one input from a single operator. The machine may include an EPP (204) that is operative to remotely receive an encrypted terminal master key from a host system (210, 304). The machine may authenticate and decrypt the terminal master key prior to accepting the terminal master key. The machine may further output through a display device (30) of the machine a one-way hash of at least one public key associated with the host system. The machine may continue with the installation of the terminal master key in response to an operator confirming that the one-way hash of the public key corresponds to a value independently known by the operator to correspond to the host system.

Abstract: A method for accessing discrete data includes transmitting a write command to a memory, determining whether each data following a header of the file needs to be encrypted according to a data format of a file that is to be written into the memory, transmitting the file header and each data following the file header to a logic unit, turning on the logic unit for encrypting the data determined to be encrypted and writing the encrypted data into the memory, turning off the logic unit for writing the data determined not to be encrypted into the memory directly, and sending a first response signal from the memory when the writing of the file is finished.

Abstract: A method and system are provided for determining a shared secret between two entities in a cryptosystem. A first random secret is selected that is known to the first entity and unknown to the second entity. A first intermediate shared secret component is determined using the first random secret and a system parameter. The first intermediate shared secret component is communicated to the second entity. A second random secret is selected that is known to the second entity, but unknown to the first entity. A second intermediate shared secret component is determined using the second random secret and the system parameter. The second intermediate shared secret component is communicated to the first entity. It is confirmed that both the first entity and the second entity know a non-interactive shared secret. An interactive shared secret is determined using the first random secret, the second random secret, and the system parameter.

Abstract: A symmetric key cryptographic method is provided for short operations. The method includes batching a plurality of operation parameters (1503), and performing an operation according to a corresponding operation parameter (1505). The symmetric key cryptographic method is a Data Encryption Standard (DES) method. The short operations can be less than about 80 bytes. The short operations can be between 8 and 80 bytes. The method includes reading the batched parameters from a dynamic random access memory (1504), and transmitting each operation through a DES engine according to the operations parameter (1505).

Abstract: A symmetric-key cryptographic technique capable of realizing both high-speed cryptographic processing having a high degree of parallelism, and alteration detection. The invention includes dividing plaintext composed of redundancy data and a message to generate plaintext blocks each having a predetermined length; generating a random number sequence based on a secret key, generating a random number block corresponding to one of the plaintext blocks from the random number sequence, outputting a feedback value obtained as a result of operation on the one plaintext block and the random number block, the feedback value being fed back for using the operation on another plaintext block, and performing an encryption operation using the one plaintext block, random number block, and feedback value.

Abstract: A method and system are provided for determining a shared secret between two entities in a cryptosystem. A first random secret is selected that is known to the first entity and unknown to the second entity. A first intermediate shared secret component is determined using the first random secret and a system parameter. The first intermediate shared secret component is communicated to the second entity. A second random secret is selected that is known to the second entity, but unknown to the first entity. A second intermediate shared secret component is determined using the second random secret and the system parameter. The second intermediate shared secret component is communicated to the first entity. It is confirmed that both the first entity and the second entity know a non-interactive shared secret. An interactive shared secret is determined using the first random secret, the second random secret, and the system parameter.

Abstract: The present invention creates a SOAP message without using DOM by generating a body part by sequentially performing such a process of a message as encryption or signing for each piece of the message, generating a header part by using information acquired during the process, and by combining the body part and the header part. The present invention also breaks a SOAP message without using DOM by acquiring header information with parsing a received SOAP message and sequentially performing decode or verification of a signature of a body part according to the header information.

Abstract: Some embodiments include communication methods, methods of forming an interconnect, signal interconnects, integrated circuit structures, circuits, and data apparatuses. In one embodiment, a communication method includes accessing an optical signal comprising photons to communicate information, accessing an electrical signal comprising electrical data carriers to communicate information, and using a single interconnect, communicating the optical and electrical signals between a first spatial location and a second spatial location spaced from the first spatial location.

Abstract: This invention concerns a validation protocol for determining whether an untrusted authentication chip is valid, or not. The protocol may be used to determine the physical presence of a valid authentication chip and from that determine whether a consumable containing the chip is valid. In another aspect the invention also concerns a system for validating the chip. A random number is generated and encrypted with an asymmetric encryption function. It is then passed to an untrusted authentication chip where it is decrypted. The decrypted random number is then compared with the original random number, and in the event of a match the untrusted chip is considered to be valid.

Abstract: A key establishment protocol includes the generation of a value of cryptographic function, typically a hash, of a session key and public information. This value is transferred between correspondents together with the information necessary to generate the session key. Provided the session key has not been compromised, the value of the cryptographic function will be the same at each of the a correspondents. The value of the cryptographic function cannot be compromised or modified without access to the session key.

Abstract: A constrained proxy key is used to secure communications between two devices via an intermediary device. A first proxy key is generated at a host device (key generator device) based on a shared secret key, one or more constraints on the first proxy key, and a key derivation function. At least the shared secret key and key derivation function are known to the host device an a client device (authentication device). The first proxy key is sent to a proxy device to use in authenticating communications with the client device. An authenticated message is generated by the proxy device using the first proxy key and sent to the client device. The client device locally generates a second proxy key using the key derivation function, one or more constraints, and the shared secret key for authenticating the proxy device. The proxy device is authenticated if the client device successfully accesses the authenticated message from the proxy device using the second proxy key.

Abstract: One aspect of the present invention establishes a session key by a receiving unit R transmitting a plurality of quantities for storage in a public repository. A sending unit S: 1. retrieves the plurality of quantities; and 2. computes and transmits to the unit R a plurality of sender's quantities; and 3. using at least one of the plurality of public quantities, computes the session key K. The unit R, using the sender's quantities: 1. computes and transmits to the unit S at least one receiver's quantity; and 2. computes the session key. Another aspect provides a digital signature. Before transmitting a signed message, the unit S stores a plurality of quantities in the public-repository. A unit R, that receives the message and the digital signature, verifies their authenticity by: 1. retrieving the quantities from the repository; 2. using the digital signature and the quantities, evaluates expressions in at least two (2) different relationships; and 3.

Abstract: A method (300;400) and system (100) for transmitting information across a firewall (130b) between multiple endpoints (120) and gateways (135), in a resource management environment (such as the TME) having characteristics that are firewall-incompatible. A gateway proxy (125g) and an endpoint proxy (125e) are associated with the endpoints and the gateways, respectively. The two proxies are connected to each other by means of a pass through communication tunnel crossing the firewall, which tunnel is secured by mutual authentication of the gateway proxy and the endpoint proxy at its ends. Each endpoint and each gateway is tricked into communication only with the respective proxy. Particularly, a listening port is allocated on the endpoint proxy on behalf of each endpoint, so that the corresponding gateway will open a connection back to the endpoint proxy on the listening port for transmitting any packet to the endpoint.

Abstract: In each stage, multiple parallel nonlinear transformation modules each perform local lower-level diffusion, then a diffusion module performs higher-level diffusion over the block width and multiple parallel nonlinear transformation modules each perform local lower-level diffusion. This operation is repeated a predetermined number of times corresponding to the number of stages. Each nonlinear transformation module is formed into the nested SPN structure by arranging alternately nonlinear transformation modules and a diffusion module. The diffusion module performs linear transformation for spreading the state of at least one bit in input data to the preceding nonlinear transformation modules to at least one bit in input data to the succeeding nonlinear transformation modules.

Abstract: The present invention provides secure communication from one encryption domain to another using a trusted module. In one embodiment, the invention includes generating a cipher stream based on a first key for encrypted streamed content, and generating a second cipher stream based on a second key to re-encrypt the streamed content. The invention further includes receiving the encrypted streamed content, simultaneously decrypting and re-encrypting the encrypted content using a combination of the first and the second cipher streams and conveying the re-encrypted content to a sink.

Abstract: A plurality of message processors exchange public and secret information. Based on the exchanged information, each message processor computes a key sequence such that any one of a plurality of keys may be derived from the key sequence depending on key derivation data. A first message processor generates key derivation data that can be used to derive a particular key from among the plurality of keys. The first message processor sends a security token that includes the generated key derivation data to express to at least one other message processor how to derive the particular key from the computed key sequence. At least a second message processor receives the security token expressing how to derive the particular key from the computed key sequence. The first and/or second message processors apply the key derivation data to the computed key sequence to derive the particular key.

Abstract: A method, computer program product and computer system for securing alterable data. A computer that is remotely managed may be equipped with a protected storage that is accessible only by BIOS code. The protected storage may have the capacity to store a symmetrical encryption key. An EEPROM, which normally contains the BIOS code, may be used to store accessible configuration data as well as remotely unaccessible sensitive access information (e.g., passwords). The remotely unaccessible sensitive data is encrypted with the symmetrical encryption key by the BIOS code. Remote access to the sensitive data is accomplished via change requests submitted to the BIOS code over a secure channel. The BIOS code then determines whether the request is valid. If so, then sensitive data is decrypted, altered, encrypted, and re-written into the EEPROM. Normal access to accessible data is unaffected and remote access is allowed without changing the computer system architecture.

Abstract: A method for protecting data for access by a plurality of users. A server encrypts data using a master key and a symmetric encryption algorithm. For each authorized user, a key encryption key (KEK) is derived from a passphrase, and the master key is encrypted using the KEK. The server posts the encrypted data and an ancillary file that includes, for each user, a user identifier and the master key encrypted according to the user's KEK. To access the data, a user enters the passphrase into a client, which re-derives the user's KEK, and finds, in the ancillary file, the master key encrypted using the user's KEK. The client decrypts the master key and then decrypts the data. A KEK may be derived from a natural language passphrase by hashing the passphrase, concatenating the result and a predetermined text, hashing the concatenation, and truncating.

Abstract: A device has a symmetric device key (DK) and a copy of (DK) encrypted according to a public key (PU) of an entity (PU(DK)). The device receives an object from a host computer, at least a portion of which is encrypted according to (DK). The device sends (PU(DK)) to the host computer, and the host computer sends (PU(DK)) to the entity. The entity applies a corresponding private key (PR) to (PU(DK)) to obtain (DK) and sends (DK) to the host computer. The host computer may then encrypt the object according to (DK) and download same to the device, and the device may decrypt the encrypted object based on (DK).

Abstract: An apparatus and method for transferring a Rights Object (RO)for a content between devices via a server, wherein a sending device converts a first RO taken by itself to encode into a second RO, and sends an RO move request message including the second RO to the server, whereas the server converts the second RO included in the RO move request message into a third RO and transfers the third RO to a receiving device, whereby the receiving device receives the third RO from the server for installation, wherein the sending device deletes or modifies the first RO at an appropriate time point.

Abstract: This invention concerns a validation protocol for determining whether an untrusted authentication chip is valid, or not. The protocol may be used to determine the physical presence of a valid authentication chip and from that determine whether a consumable containing the chip is valid. In another aspect the invention also concerns a system for validating the chip. The invention involves generating a random number in a trusted authentication chip, then applying a keyed one way function to the random number in both the trusted authentication chip and an untrusted authentication chip and comparing the outcomes. A match indicates that the untrusted chip is valid.

Abstract: This invention concerns a consumable authentication protocol for validating the existence of an untrusted authentication chip, as well as ensuring that the Authentication Chip lasts only as long as the consumable. In a further aspect it concerns a consumable authentication system for the protocol. In this invention we are concerned not only with validating that an authentication chip is present, but writes and reads of the authentication chip's memory space must be authenticated as well. A random number is encrypted using a first key and sent to an untrusted chip. In the untrusted chip it is decrypted using a secret key and re-encrytped together with a data message read from the untrusted chip. This is decrypted so that a comparison can be with the generated random number and the read data message.

Abstract: An apparatus for encryption and decryption, capable of use in encryption and decryption of advanced encryption standard. Byte substitution operation and inverse byte substitution operation are to be combined. Byte substitution operation can be expressed as y=M*multiplicative_inverse(x)+c while inverse byte substitution operation can be expressed as x=multiplicative_inverse(M?1*(y+c)), wherein M and M?1 are inverse matrix of each other and c is a constant matrix. Since the two equations employ a look-up table, that is, multiplicative_inverse(x), the lookup tables for use in byte substitution and inverse byte substitution operations are to be combined according to the invention so as to lower hardware complexity of the implementation. In addition, main operations of column mixing operation and inverse column mixing operation are to be rearranged to combine the two operations in part, resulting in simplified hardware implementation.

Abstract: An observation unit of an authentication apparatus and an observation unit of an authentication target apparatus observe a radio wave from a common radio star at a common observation time. A sending unit sends information message including information on the observed radio wave, and an information reception unit receives it. An estimation unit estimates a position of the authentication target apparatus based on “the information on the radio wave observed by the observation unit” and “information on the radio wave observed by the observation unit”. A retaining unit pre-retains positions of one or more authentication target apparatus(s). A determination unit checks whether a position of the authentication target apparatus pre-retained in the retaining unit and the estimated position correspond within a predetermined error range, and settles authentication for the information message as a success in a case where the positions correspond.

Abstract: Group key management techniques are applied to generating pair-wise keys for point-to-point secure communication applications. Nodes participating in a secure communication group each receive a group key and associated policy information. When a first node wishes to establish a secure point-to-point connection to a second node, the first node derives a pairwise key from the group key and policy information, for example, by hashing the group key and information identifying the two nodes. As a result, a pairwise key is generated without exchanging negotiation messages among the two nodes and without expensive asymmetric cryptographic computation approaches.

Abstract: Group key management techniques are applied to generating pair-wise keys for point-to-point secure communication applications. Nodes participating in a secure communication group each receive a group key and associated policy information. When a first node wishes to establish a secure point-to-point connection to a second node, the first node derives a pairwise key from the group key and policy information, for example, by hashing the group key and information identifying the two nodes. As a result, a pairwise key is generated without exchanging negotiation messages among the two nodes and without expensive asymmetric cryptographic computation approaches.

Abstract: A system for giving run authorization to a program installed on a computer, comprising a checking unit having a receiving device and, at least partially, forms part of the computer or is linked with the latter via a data link, and a device which is transportable separately from the computer and from the checking unit and connectable to the receiving device within a predetermined distance therefrom by a wireless link through which an identification code contained in said device is transmitted to the checking unit, said checking unit comparing the transmitted identification code with a reference code and giving the run authorization, if both codes are identical.

Abstract: A system and method for protecting data transmitted across a private network is disclosed. A secure channel is established so that the client computer can securely transmit a password to the server computer. Once the password has been transmitted, future transmissions use the password to encrypt data by the sending computer and decipher the data at the receiving computer. In one embodiment, passwords expire after a certain amount of time and are thereafter renegotiated. In another embodiment, the password is successively modified by a counter value further preventing unauthorized persons from discovering the password used to encrypt the data. By using passwords rather than public-key encryption methods, less system resources are required to maintain data confidentiality. An information handling system securely transmitting data within a private network as well as a computer program product programmed to perform the encryption processing are further disclosed.

Abstract: A variable-length key cryptosystem is provided, in which the amount of parameters for generating a key to be shared is small, security is high, and calculation cost is small. The length of a plain text inputted from a data input part 10 is detected by a data string length detection processing part 20. A variable-length key generation processing part 30 generates an encryption key with a required arbitrary length, using an initial character string and a conversion rule, based on the length of a plain text. A conversion character string generation processing part 32 generates a converted character string from an initial character string by applying a conversion rule of increasing the length of a character string. Conversion is conducted until the length of a plain text is reached. An encryption key is not used twice. Therefore, an unused conversion character string is searched for, and a stream code processing part 40 generates an encrypted text by using a generated encrypted string.

Abstract: A method and system are provided for determining a shared secret between two entities in a cryptosystem. A first random secret is selected that is known to the first entity and unknown to the second entity. A first intermediate shared secret component is determined using the first random secret and a system parameter. The first intermediate shared secret component is communicated to the second entity. A second random secret is selected that is known to the second entity, but unknown to the first entity. A second intermediate shared secret component is determined using the second random secret and the system parameter. The second intermediate shared secret component is communicated to the first entity. It is confirmed that both the first entity and the second entity know a non-interactive shared secret. An interactive shared secret is determined using the first random secret, the second random secret, and the system parameter.

Abstract: A method of providing improved security in a communication system used to transfer information between at least a pair of correspondents. The communication between the correspondents generally comprises steps of generating key pairs in accordance with the arithmetic properties of a chosen algorithm, communicating one of the keys, being a public key, to the other party by way of a certificate, generation and transmission of a signature using a private key of the key pairs by one of the correspondents and transmitting the signature to the other correspondent and verification of the signature by the recipient. The invention provides for the additional step of verifying the public key conform to the arithmetic properties dictated by the requirements of the selected algorithm.

Abstract: Techniques for efficient KASUMI ciphering are disclosed. In one aspect, one KASUMI round for generating a fractional portion of the KASUMI cipher is deployed with appropriate feedback such that eight sequential rounds produce the KASUMI output. In another aspect, one third of the FO function is deployed with appropriate feedback such that three successive cycles produce the FO output. In yet another aspect, the FI function is deployed with appropriate feedback such that two subsequent cycles produce the FI output. In yet another aspect, a sub-key generator comprising two shift registers produces sub-keys for each round and sub-stage thereof in an efficient manner. These aspects, collectively, yield the advanced benefits of low area and low cost implementations of KASUMI with a simple user interface. Various other aspects of the invention are also presented.

Abstract: For the authentication of messages communicated in a distributed system from an originator to a destination a keyed-hashing technique is used according to which data to be authenticated is concatenated with a private (secret) key and then processed to the cryptographic hash function. The data are transmitted together with the digest of the hash function from the originator to the destination. The data comprises temporal validity information representing the temporal validity of the data. For example the setup key of a communication is therefore only valid within a given time interval that is dynamically defined by the communication originator. After the time interval is exceeded the setup key is invalid and cannot be reused again.

Abstract: According to some embodiments, cipher block chaining decryption is performed.

Abstract: A symmetric-key cryptographic technique capable of realizing both high-speed cryptographic processing having a high degree of parallelism, and alteration detection. The invention includes dividing plaintext composed of redundancy data and a message to generate plaintext blocks each having a predetermined length, generating a random number sequence based on a secret key, generating a random number block corresponding to one of the plaintext blocks from the random number sequence, outputting a feedback value obtained as a result of operation on the one plaintext block and the random number block, the feedback value being fed back for using in the operation on another plaintext block, and performing an encryption operation using the one plaintext block, random number block, and feedback value.

Abstract: This invention concerns a consumable authentication protocol for validating the existence of an untrusted authentication chip, as well as ensuring that the authentication chip lasts only as long as the consumable. In a further aspect it concerns a consumable authentication system for the protocol. A trusted authentication chip has a test function; and the untrusted authentication chip has a read function to test data from the trusted chip, including a random number and its signature, encrypted using a first key, by comparing the decrypted signature with a signature calculated from the decrypted random number. In the event that the two signatures match, it returns a data message and an encrypted version of the data message in combination with the random number, encrypted using the second key.

Abstract: A method of encryption of data in a digital television system communicated between a first decoder and a portable security module, wherein a precalculated key pair is stored in a memory of the first decoder, wherein the key pair includes a session key and an encrypted version of the session key prepared using a transport key, the encrypted version of the session key being subsequently communicated to the portable security module which decrypts the encrypted version using an equivalent transport key stored in its memory such that data communicated from at least the portable security module to the first decoder may thereafter be encrypted and decrypted by the session key.

Abstract: The method is based on symmetrical encryption algorithms of variable length blocks, supported by a Pseudo-noise Sequence Generator based in its turn in one (or two) linear sequence generators (LFSR with a primitive polynomial). The basic versions of these algorithms include the plotting of a set of lines which is defined by a pole and a contour, but ensuring that the points inside the contour became inverted when plotted each time the pixel is found in one of the set of lines. Usually, two contours will be used, one of them shall act as the boundary for the data area and in a modification of the same the set of lines is created by means of unregularised contours.

Abstract: A method of electronically signing a document includes initializing a user, including generating an asymmetric key pair including a private signing key and a public signing key, and storing the private signing key and the public signing key; and providing an electronic signature, including receiving document data corresponding to at least one selected portion of the document, binding the stored private signing key and the document data to create an electronic signature, and providing the electronic signature for a recipient.

Abstract: An encryption system comprises a pseudo-random number generator (KS) for generating a long pseudo-random sequence (S) from a shorter encryption key (K) and, if necessary, a nonce value (N), and a mixing function (MX) for combining the sequence with a plaintext message (P) on a block-by-block basis, where successive blocks (S(i)) of 128 bits of the sequence are combined with successive 64-bit blocks of plaintext (P(i)) to produce successive 64-bit blocks of ciphertext. The blockwise use of a long pseudo-random sequence preserves the advantages of a block cipher in terms of data confidentiality and data integrity, as well as benefiting from the speed advantages of a stream cipher.

Abstract: Methods and apparatus for authenticating a mobile node are disclosed. A server is configured to provide a plurality of security associations associated with a plurality of mobile nodes. A packet identifying a mobile node may then be sent to the server from a network device such as a Home Agent. A security association for the mobile node identified in the packet may then be obtained from the server. The security association may be sent to the network device to permit authentication of the mobile node. Alternatively, authentication of the mobile node may be performed at the server by applying the security association.

Abstract: A method of transmitting email and a device for transmitting email capable of broadcasting the email including encrypted data effectively. When a personal computer PC1 accepts an instruction to transmit same data to multiple destinations by email, the PC1 generates a session key (S105) and encrypts the data by utilizing the generated session key (S106). Next, the PC1 generates the common key by utilizing a public key generated based on an email address of each destination and the secret key acquired from a center in advance (S107), and encrypts the session key by utilizing the generated common key (S108). The PC1 transmits the email including the encrypted data and the encrypted session key to each destination (S110).

Abstract: An automated banking machine (12, 200, 302) is provided. The machine may be operative to install a terminal master key (TK) therein in response to at least one input from a single operator. The machine may include an EPP (204) that is operative to remotely receive an encrypted terminal master key from a host system (210, 304). The machine may authenticate and decrypt the terminal master key prior to accepting the terminal master key. The machine may further output through a display device (30) of the machine a one-way hash of at least one public key associated with the host system. The machine may continue with the installation of the terminal master key in response to an operator confirming that the one-way hash of the public key corresponds to a value independently known by the operator to correspond to the host system.

Abstract: The present invention relates to an encryption method for encrypting information including a series of multiple unit blocks, one at a time, a decryption method for decrypting multiple encrypted unit blocks, one at a time, and a recording and reproducing apparatus that uses those methods. The seed of an encryption key for encrypting each unit block and the seed of an encryption key for decrypting each encrypted unit block, which are used by those methods and the recording and reproducing apparatus, are based on a unit block that is one or more unit blocks before the current unit block in a reproduction order or on information generated by encrypting one or more unit blocks before the current unit block. Alternatively, the seed of an encryption key for encrypting each unit block and the seed of an encryption key for decrypting each encrypted unit block are information based on an encryption key for encrypting a unit block before the current unit block in a reproduction order.

Abstract: A method for encryption and decryption of data items is provided by defining a cipher key based on variables in a Chaotic Equation. The method includes selecting a Chaotic Equation (110) from a set of Chaotic Equations, defining starting conditions of the variables of the equation (140), and applying the equation to each data item (120). The real and imaginary parts of the result of the iteration of the Chaotic Equation are combined with the data item by an arithmetic operation, for example, an XOR operation (120). Data items in a continuous stream with a rate dependency can be encrypted and decrypted on an item by item basis. The input or cipher key changes for each byte of the data encryption. Blocks of data (700, 701, 702, 703, 704) can be encrypted using the method with an identifier of the order of the blocks in the data stream. If blocks are received out of sequence, the identifiers can be used to maintain the correct decryption order.

Abstract: An e-mail firewall applies policies to e-mail messages transmitted between a first site and a plurality of second sites. The e-mail firewall includes a plurality of mail transfer relay modules for transferring e-mail messages between the first site and one of the second sites. Policy managers are used to enforce and administer selectable policies. The policies are used to determine security procedures for the transmission and reception of e-mail messages. The e-mail firewall employs signature verification processes to verify signatures in received encrypted e-mail messages. The e-mail firewall is further adapted to employ external servers for verifying signatures. External servers are also used to retrieve data that is employed to encrypt and decrypt e-mail messages received and transmitted by the e-mail firewall, respectively.